Forums: SplunkAdministration: Eeeek! My scheduled search went away on the free version!

In a crunch, I just upgraded my 3.x splunk to the latest, due to 2010 issues... didn't read the fine print and just found (after converting to a free license) that my scheduled searches are gone. That's a real bummer, since I used that for scripting other actions.

Usually, new versions ADD functionality, not take away.

Now, I have to figure out how to revert to 3 and solve the 2010 issues a different way.

Yeah, splunk 4.0 free has a different feature set than Splunk 3.4.x free. ;-(

Just pull over the fixed copy of $SPLUNK_HOME/etc/datetime.xml into your existing Splunk 3.x install and it 3.4.x should start getting the dates correct again. (You can save it of from Splunk 4.0.8, or download it from Splunk website.)

You may also want ot keeping a backup copy laying around, just in case another upgrade overwrites your updated datetime.xml.

If you have a backup of your SPLUNK_HOME folder, I'd recommend starting from there, if you can stand to loose the event data... Splunk 4.0 is a pretty big change and rolling back may not be as simple as it seems; all depending on the complexity of your setup, of course.

Yeah, I'm in the same boat as you. This is quite frustrating. As a small company we're prefectly willing to purchase splunk when we can afford it. It's simply not an option for us at the moment. Removing this functionality in the upgrade has crippled our operational support, as well as lowered my opinion of splunk as an community organisation. (Steps off soap box)

Yet another community fail by us - sorry about that! I will bring this up internally.

One thing I would recommend, though, is to thoroughly read the release notes before upgrading to a major release. We did document this change in Splunk Free so that users would be aware of the differences between 3.x and 4.x.

I agree with thoroughly reading the release notes. I can't fault you guys at all. You're a commercial company that doesn't have to release a free product at all. The fact that you do so is great for smaller companies like mine that will ultimately purchase a license as we grow.

As someone who uses and recommends splunk heavily, it is frustrating that a major release upgrade actually decreased functionality, not enhanced it. Regardless we'll need a commercial license in the next few months as we're bumping up against the 500 mb a day limit.

I think you're trial licenses are perfect, just don't cripple base functionality like scheduled searches and alerts. Clustering, LDAP integration, and deployment servers are definitely enterprise level features, and I personally feel those do merit purchasing an enterprise license.

@araitz Thanks for considering it. Your documentation is always very good... I was in a bind and failed to do the research.

Related: I really appreciate the free version. We're a very small IT shop and can't afford the enterprise license. Have you considered an offering somewhere between the free and enterprise for SMB? $5000 is WAY out of our range, but we could justify something between $500 - $1000, as an example. Or maybe an A la carte option where we can pay only for the features we need?